This document serves as an introduction to using Cilium to enforce
security policies in Kubernetes micro-services managed with Istio. It
is a detailed walk-through of getting a single-node Cilium + Istio
environment running on your machine.

If you have not set up Cilium yet, pick any installation method as described in
section Installation to set up Cilium for your Kubernetes environment. If
in doubt, pick Getting Started Using Minikube as the simplest way to set up a Kubernetes
cluster with Cilium:

If running on minikube, you may need to up the memory and CPUs
available to the minikube VM from the defaults and/or the
instructions provided here for the other GSGs. 5 GB and 4 CPUs
should be enough for this GSG (--memory=5120--cpus=4).

Modify the Istio sidecar injection template to add an init container
that waits until DNS works and to mount Cilium’s API Unix domain
sockets into each sidecar to allow Cilium’s Envoy filters to query the
Cilium agent for policy configuration:

Check the progress of the deployment (every service should have an
AVAILABLE count of 1):

watch"kubectl get deployments"NAMEREADYUP-TO-DATEAVAILABLEAGEdetails-v11/11112sproductpage-v11/11113sreviews-v11/11112s

Once all the pods are available, verify that the application works by
making a query from reviews pod to the productpage:

Note

‘sudo’ here is needed to cause the curl connection to be forwarded
to the proxy. Without it the connection is considered as coming
from the proxy itself, causing the destination proxy to close the
connection on (missing) TLS handshake failure.

Open that URL in your web browser and check that the application has
been successfully deployed. It may take several seconds before all
services become accessible in the Istio service mesh, so you may have
have to reload the page.

We will now deploy version v2 of the reviews service. In
addition to providing reviews from readers, reviewsv2 queries a
new ratings service for book ratings, and displays each rating as
1 to 5 black stars.

As a precaution, we will use Istio’s service routing feature to canary
the v2 deployment to prevent breaking the end-to-end application
completely if it is faulty.

Before deploying v2, to prevent any traffic from being routed to
it for now, we will create this Istio route rules to route 100% of the
reviews traffic to v1:

Check the progress of the deployment (every service should have an
AVAILABLE count of 1):

watch"kubectl get deployments"NAMEREADYUP-TO-DATEAVAILABLEAGEdetails-v11/11117mproductpage-v11/11117mratings-v11/11169sreviews-v11/11117mreviews-v21/11168s

Check in your web browser that no stars are appearing in the Book
Reviews, even after refreshing the page several times. This indicates
that all reviews are retrieved from reviewsv1 and none from
reviewsv2.

The ratings-v1 CiliumNetworkPolicy explicitly whitelists access
to the ratings API only from productpage and reviewsv2:

Check in your web browser that stars are appearing in the Book Reviews
roughly 50% of the time. This may require refreshing the page for a
few seconds to observe. Queries to reviewsv2 result in reviews
containing ratings displayed as black stars:

Refresh the product page in your web browser several times to verify
that stars are now appearing in the Book Reviews on every page
refresh. All the reviews are now retrieved from reviewsv2 and
none from reviewsv1.

[{"descriptionHtml":"<a href=\"https://en.wikipedia.org/wiki/The_Comedy_of_Errors\">Wikipedia Summary</a>: The Comedy of Errors is one of <b>William Shakespeare's</b> early plays. It is his shortest and one of his most farcical comedies, with a major part of the humour coming from slapstick and mistaken identity, in addition to puns and word play.","id":0,"title":"The Comedy of Errors"}]{"publisher":"PublisherA","language":"English","author":"William Shakespeare","id":0,"ISBN-10":"1234567890","ISBN-13":"123-1234567890","year":1595,"type":"paperback","pages":200}{"reviews":[{"reviewer":"Reviewer1","rating":{"color":"black","stars":5},"text":"An extremely entertaining play by Shakespeare. The slapstick humour is refreshing!"},{"reviewer":"Reviewer2","rating":{"color":"black","stars":4},"text":"Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare."}],"id":"0"}{"ratings":{"Reviewer2":4,"Reviewer1":5},"id":0}

We realized that the REST API to get the book reviews and ratings was
meant only for consumption by other internal services, and will be
blocked from external clients using the updated Layer-7
CiliumNetworkPolicy in productpagev2, i.e. only the
/api/v1/products and /api/v1/products/<id> HTTP URLs will be
whitelisted:

productpagev2 implements an authorization audit logging. On
every user login or logout, it produces into Kafka topic authaudit
a JSON-formatted message which contains the following information:

event: login or logout

username

client IP address

timestamp

To observe the Kafka messages sent by productpage, we will run an
additional authaudit-logger service. This service fetches and
prints out all messages from the authaudit Kafka topic. Start
this service:

[{"descriptionHtml":"<a href=\"https://en.wikipedia.org/wiki/The_Comedy_of_Errors\">Wikipedia Summary</a>: The Comedy of Errors is one of <b>William Shakespeare's</b> early plays. It is his shortest and one of his most farcical comedies, with a major part of the humour coming from slapstick and mistaken identity, in addition to puns and word play.","id":0,"title":"The Comedy of Errors"}]{"publisher":"PublisherA","language":"English","author":"William Shakespeare","id":0,"ISBN-10":"1234567890","ISBN-13":"123-1234567890","year":1595,"type":"paperback","pages":200}AccessdeniedAccessdenied

This demonstrated that requests to the
/api/v1/products/<id>/reviews and
/api/v1/products/<id>/ratings URIs now result in Cilium returning
HTTP403Forbidden HTTP responses.

Every login and logout on the product page will result in a line in
this service’s log. Note that you need to log in/out using the signin/signout element on the bookinfo web page. When you do, you
can observe these kind of audit logs:

As you can see, the user-identifiable information sent by
productpage in every Kafka message is sensitive, so access to this
Kafka topic must be protected using Cilium. The CiliumNetworkPolicy
configured on the Kafka broker enforces that:

only productpagev2 is allowed to produce messages into the
authaudit topic;